diff options
author | Matt Caswell <matt@openssl.org> | 2018-02-23 19:48:11 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-03-15 12:51:34 +0000 |
commit | 5af88441f4fb1951a0672c0c0e1979cd44acdb69 (patch) | |
tree | d88e289dfd03f3d3c8ca1fc6134e0303f1d196f7 /apps | |
parent | 2cedf79474ebc7bf910980f397decfaddec7122b (diff) | |
download | openssl-5af88441f4fb1951a0672c0c0e1979cd44acdb69.tar.gz |
Allow multiple entries without a Subject even if unique_subject == yes
It is quite likely for there to be multiple certificates with empty
subjects, which are still distinct because of subjectAltName. Therefore
we allow multiple certificates with an empty Subject even if
unique_subject is set to yes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/ca.c | 19 |
1 files changed, 19 insertions, 0 deletions
@@ -1721,6 +1721,20 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; } + if (row[DB_name][0] == '\0') { + /* + * An empty subject! We'll use the serial number instead. If + * unique_subject is in use then we don't want different entries with + * empty subjects matching each other. + */ + OPENSSL_free(row[DB_name]); + row[DB_name] = OPENSSL_strdup(row[DB_serial]); + if (row[DB_name] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + } + if (db->attributes.unique_subject) { OPENSSL_STRING *crow = row; @@ -2034,6 +2048,11 @@ static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, else row[DB_serial] = BN_bn2hex(bn); BN_free(bn); + if (row[DB_name] != NULL && row[DB_name][0] == '\0') { + /* Entries with empty Subjects actually use the serial number instead */ + OPENSSL_free(row[DB_name]); + row[DB_name] = OPENSSL_strdup(row[DB_serial]); + } if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); goto end; |